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(54) A network with a security capability. 



(57) A network having a security capability (30) 
where the network includes a data bus, a 
plurality of stations (22) connected to the data 
bus and a security unit (30) which monitors 
traffic on the data bus and only enables 
authorized data to flow along the data bus. 
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FIELD OF THE INVENTION 

The present invention relates to local area net- 
works generally and to apparatus for reducing unau- 
thorized access to and sessions on such networks in 
particular. 

BACKGROUND OF THE INVENTION 

Local area networks (LANs), such as carrier 
sense, ring and shared-media networks, are very 
common. Typically, they are found within a corpora- 
tion or a university or among a number of closely lo- 
cated sites. 

The type of LAN determines how the elements of 
the LAN are connected together. A typical carrier 
sense multiple access LAN is shown in Fig. 1. It in- 
cludes a hub 10 to which are attached a plurality of 
stations 12, such as mainframe computers, worksta- 
tions and personal computers. The hub 10 typically 
"cc^ntrolsThe cbmmuhlcMohTs^ 
and includes in it a data bus along which messages 
are sent. Thus, if station 12a wants to send a message 
to station 12b, it first sends the message to hub 10 
which provides the message to the data bus. In a car- 
rier sense network, only the destination station, sta- 
tion 12b, can process the message. 

Each type of network typically includes a number 
of layers of communication. For example, according 
to the Reference Model of Open Systems Intercon- 
nection (OSI), there are the following seven layers: 
physical, data link, network, transport, session, pre- 
sentation and application. 

As is known in the art, the physical layer is the 
elements which provide the physical interconnection 
of the stations 12 and the hub 10. It simply sends and 
receives digital data. 

The data link layer, or medium access control 
(MAC) layer, removes any noisy data, retransmits 
poorly received data and breaks the digital data re- 
ceived by the physical layer into packets of data for 
later processing by the higher layers. The packets of 
data typically include physical source and destination 
addresses as well as the logical source (or user) and 
destination information and the message being sent. 

The network layer determines the routing of 
packets of data between stations. The other, higher, 
layers provide direct communication between the 
physical source and destination as well as the logical 
source and destination. The headers and control in- 
formation which form part of messages on the net- 
work are utilized, in the higher layers, to determine 
the destination station and the user, the final destin- 
ation, who has an account on the destination station. 

A full description of network communication can 
be found in the book Computer Networks by Andrew 
S. Tanenbaum, Prentice-Hall, Inc. Englewood Cliffs, 
New Jersey, 1981. 
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It is known that a network can be accessed by an 
unauthorized user. Networks and individual stations 
12 typically reduce this problem by requiring that 
each user be identified by a user name and a pass- 
word. The sophistication of the user name and pass- 
word depend on the level of security required. How- 
ever, an unauthorized user can breach the security if 
he can connect his computer to the network and if he 
knows, or can guess, the username and password of 
another user. This type of security is known as "end 
user" security. 

Since data freely move about the data bus of the 
network, anyone who can access the data bus can 
process the data to read the messages. A network 
analyzer 14 is one apparatus which can process net- 
work data. It can be utilized to determine if any unau- 
thorized users attempted to access the network. If an 
unauthorized user is found, he can be shut off from 
the network. However, since the analysis operation is 
performed after the messages are sent on the net- 
work (i.e. off-line), the~u7ta"uth^z^ 
shut down as soon as he begins to operate. Thus, the 
unauthorized user has a window of at least several 
seconds to operate. 

European Patent Publication 431,751-A1 de- 
scribes a multiport repeater for a LAN. It operates to 
ensure that only designated receivers receive their 
messages. In effect, it ensures that the network ana- 
lyzer 14 can not "eavesdrop" on the data moving 
about the data bus. To do this, Publication 431,751- ' 
A1 corrupts each message for all destinations except 
the designated destination. 

Despite many attempts to tighten network secur- 
ity, it is still a widespread problem. 

SUMMARY OF THE INVENTION 



It is therefore an object of the present invention 
to provide an apparatus and method for improved 
40 LAN security. 

There is therefore provided, in accordance with a 
preferred embodiment of the present invention, a net- 
work having a security capability where the network 
includes a) a data bus, b) a plurality of stations con- 
45 nected to the data bus and c) a security unit which 
monitors traffic on the data bus and only enables au- 
thorized data to flow along the data bus. 

There is also provided, in accordance with a pre- 
ferred embodiment of the present invention, a secur- 
so ity unit for a network having a data bus to which a plur- 
ality of stations can be connected wherein the secur- 
ity unit monitors traffic on the data bus and only en- 
ables authorized data to flow along the data bus. 
Additionally, in accordance with a preferred em- 
55 bodiment of the present invention, the data bus and 
the security unit are part of a hub. 

Furthermore, in accordance with a preferred em- 
bodiment of the present invention, the network is a lo- 
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cal area network (LAN). Preferably, the network is a 
carrier sensing multiple access/collision detection 
type of LAN. 

Still further, in accordance with a preferred em- 
bodiment of the present invention, the security unit in- 5 
eludes a packet blocker operating in accordance with 
a protocol of the network and operative when unau- 
thorized communication is requested. 

Moreover, in accordance with a preferred em- 
bodiment of the present invention, the traffic includes 10 
a multiplicity of data packets each having source and 
destination addresses and the security unit includes 
a plurality of correlators for determining that the 
source and destination addresses indicate an autho- 
rized communication. 15 

Additionally, in accordance with a preferred em- 
bodiment of the present invention, each station is con- 
nected to the data bus via a port having a port ad- 
dress and one of the correlators correlates the 
source a ddres s with an a uthorized port address. 20^ 

There is also provided, in accordance with a pre- 
ferred embodiment of the present invention, a meth- 
od of securing a network having at least one hub, the 
method including the steps of a) for every piece of 
data sent on a data bus of the hub, wherein the piece 25 
of data includes at least source and destination sta- 
tion addresses, determining if said addresses con- 
form to a stored set of access rules, and b) if the out- 
put of the step of determining is false, sending a jam 
signal on the data bus and thereby causing a collision 30 
on the network. 

Finally, in accordance with a preferred embodi- 
ment of the present invention, the access rules in- 
clude at least one of the following rules: that the 
source station address be among a list of authorized 35 
source station addresses, that the source station be 
physically connected to an authorized port address 
and/or that the destination station address be in a list 
of authorized destination station addresses for the 
source station address. 40 

BRIEF DESCRIPTION OF THE DRAWINGS 

The present invention will be understood and ap- 
preciated more fully from the following detailed de- 45 
scription taken in conjunction with the drawings in 
which: 

Fig. 1 is a schematic illustration of a prior art car- 
rier sense LAN network arrangement; 
Fig. 2 is a schematic illustration of a carrier sense so 
LAN network arrangement including a network 
security unit, constructed and operative in accor- 
dance with a preferred embodiment of the pres- 
ent invention; 

Fig. 3 is a block diagram illustration of the ele- 55 
ments of the network security unit of Fig. 2; and 
Fig. 4 is a schematic illustration of a collection of 
hubs connected together to form an extended 



LAN network. 

DETAILED DESCRIPTION OF PRESENT 
INVENTION 

Reference is now made to Figs. 2 and 3 which re- 
spectively illustrate a network having the network se- 
curity unit 30 of the present invention and the ele- 
ments of security unit 30. As shown in Fig. 1 , the net- 
work is a carrier sensing, multiple access/collision de- 
tection and comprises a hub 20, such as the LET 36 
manufactured by Lannet Data Communication Ltd., 
Tel Aviv, Israel, and a plurality of stations 22. The net- 
work shown in Fig. 2 utilizes the Ethernet network 
protocol, detailed in IEEE standards 802.3, such as 
10BaseT, 10BaseF, 10Base2, FOIRL, etc. 

In the network of Fig. 2, the hub 20 additionally 
comprises a plurality of ports 26 to which are attached 
one or more stations 22. 

Sec urity unit 30 typically forms part of the hub 20 
and, in accordance with the present invention, oper- 
ates at the MAC layer. Security unit 30 can either be 
an integral part of hub 20, or as an add-on unit to it. 
Security unit 30 is operative to ensure that the sta- 
tions 22 do not change their locations vis-a-vis the 
hub 20 and that only certain communication paths, 
(i.e. paths between certain stations 22) are enabled. 

For example, let station 22a be located in an of- 
fice of a manager, let station 22b contain in it the sal- 
ary database, and let station 22c be located in an of- 
fice of a programmer. In addition, let the manager be 
allowed to review the salary data-base, but not the 
programmer. If the security unit 30 detects a message 
from station 22c to station 22b, it will block that mes- 
sage. Furthermore, if the programmer physically 
moves his computer into the manager's office, (i.e. 
station 22c is now attached to port 26a), the security 
unit 30 will block any messages the programmer 
sends. Still further, any unauthorized stations 22 will 
not be allowed to send messages to any of the sta- 
tions of the network. 

The security unit 30 blocks messages sent by un- 
authorized stations or sent along unauthorized paths 
typically by utilizing the collision mechanism of the 
Ethernet protocol. As is known in the art, a collision 
on the network causes the sending station to stop 
transmission, for example in accordance with the 
IEEE 802.3 backoff algorithm. 

Thus, in accordance with the present invention, 
the operation of the security unit 30 does not interfere 
with the proper operation of the network but rather, 
utilizes a standard mechanism to add security to the 
network. 

The security unit 30 typically is connected, in par- 
allel to a data bus 40 forming part of hub 20, and mon- 
itors data packets moving on the bus 40. 

In the example of the Ethernet protocol, the unit 
30 typically is formed from a Very Large Scale Inte- 
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grated (VLSI) circuit chip and comprises a MAC ad- 
dress stripper 42 (Fig. 3), such as is known in the art, 
for removing the physical source and destination ad- 
dresses (i.e. the station addresses) from a packet, an 
authorization unit 44 for determining whether or not 5 
the communication is authorized and a coiiision 
mechanism 46 for producing, on the data bus 40, a 
collision with the packet if not. 

The authorization unit 44 typically comprises 
three correlators 50, 52 and 54, a mode switch 56 and 10 
a decision unit 58. Correlator 50 determines whether 
or not the source station address is among the autho- 
rized source stations. Correlator 52 determines 
whether or not the source station address is attached 
to its corresponding port, where the port address is 15 
provided from the hub 20, in the case of the LET 36 
hub. Correlator 54 determines whether or not the 
source station is allowed to communicate with the 
destination station. 

Each of correlators 50 - 54 typically comprise a 20 



list of authorized relationships. Thus, correlatorSO 
has a list of authorized stations, correlator 52 has a 
list of source addresses and their corresponding port 
addresses and correlator 54 has a list of source ad- 
dresses and their allowed destination addresses. 25 

If any of the correlators 50 - 54 determine that an 
unauthorized communication is requested, they pro- 
vide a disable signal to the decision unit 58. 

The correlators 50 - 54 must operate within the 
standard collision window of the Ethernet protocol in 30 
order not to significantly shrink the network. Thus, 
they can perform any fast correlation operation, such 
as a tree search, or, if the number of elements to be 
searched is low, a simple comparison. Appropriate 
correlation techniques are described in detail in The 35 
Art of Computer Programming: Vol. 3^ Sorting and 
Searching by Donald Knuth, Addison-Wesley, Read- 
ing, Mass. 1973, which book is incorporated herein by 
reference. 

It will be appreciated that correlators 50 - 54 form 40 
part of the VLSI chip of unit 30 and therefore, operate 
relatively quickly. 

In accordance with the desires of a user, mode 
switch 56 defines which of the correlators 50 - 54 are 
currently active. Those which are, operate in parallel. 45 
Typically, at least the source address correlator 50 is 
active. 

If decision unit 58 receives at least one disable 
signal from the active correlators 50 - 54, it enables 
the collision mechanism 46 which outputs a jam sig- so 
,nal to the data bus 40 and causes thereby a bus col- 
lision. 

It will be appreciated that the security unit 30 op- 
erates in real-time and thus, must determine that a 
packet is unauthorized within the allotted time period. 55 

It is noted that the security unit 30 limits the size 
of the LAN due to the length of time it takes to oper- 
ate. Thus, the security unit 30 should be designed to 



operate as quickly as possible. 

A LAN having a plurality of hubs 20 (i.e. A LAN 
with more stations 22 than are controllable by one 
hub 20) can be maintained secure as described here- 
inbelow with respect to Fig. 4. 

Each hub 20 having a security unit 30 is attached 
to at least one other hub 20 via a security backbone 
port 60. Data coming through one of ports 60 is as- 
sumed to be secure and therefore, is not checked by 
the receiving hub 20. 

As described hereinabove, each security unit 30 
has defined in it a list of the authorized stations con- 
nected to it and the authorized destinations of each 
station. In the embodiment illustrated in Fig. 4, the list 
of authorized destinations of each station includes 
stations attached to the other hubs. Thus, the source 
and destination of any message sent from a first hub 
is checked and is only sent to the destination hub and 
station if the source and destination are authorized by 
the first hub. 



Itwill be apprecialed by persons skilfecT irfthe~art~~ 
. that the present invention is not limited to what has 
been particularly shown and described hereinabove. 
Rather the scope of the present invention is defined 
only by the claims which follow: 



Claims 

1. A network having a security capability, the net- 
work comprising: 

a data bus; 

a plurality of stations connected to said 
data bus; and 

a security unit which monitors traffic on 
said data bus and only enables authorized data 
to flow along said data bus. 

2. A network according to claim 1 and wherein said 
data bus and said security unit are part of a hub. 

3. A network according to claim 1 and characterized 
in that it is a local area network (LAN). 

4. A network according to claim 3 and characterized 
in that it is a carrier sensing multiple access/col- 
lision detection type of LAN. 

5. - A network according to claim 1 and wherein said 

security unit comprises a packet blocker operat- 
ing in accordance with a protocol of said network 
and operative when unauthorized communica- 
tion is requested. 

6. A network according to claim 1 wherein said traf- 
fic comprises a multiplicity of data packets each 
having source and destination addresses and 
wherein said security unit comprises a plurality of 
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correlators for determining that said source and 
destination addresses indicate an authorized 
communication. 

7. A network according to claim 6 wherein each sta- 
tion is connected to said data bus via a port hav- 
ing a port address and wherein one of said cor- 
relators correlates said source address with an 
authorized port address. 

8. A method of securing a network having at least 
one hub, the method comprising the steps of: 

for every piece of data sent on a data bus 
of said hub, wherein said piece of data comprises 
at least source and destination station addresses, 
determining if said addresses conform to a stored 
set of access rules; 

if the output of said step of determining is 
false, sending a jam signal on said data bus. 

9. A method according to claim 8 and wherein said 
set of access rules includes the rule that said 
source station address must be among a list of 
authorized source station addresses. 

10. A method according to any of claims 8 - 9 and 
wherein said set of access rules includes the rule 
that said source station must be physically con- 
nected to an authorized port address. 

11. A method according to any of claims 8-10 and 
"wherein said set of access rules includes the rule 
that said destination station address must be in a 
list of authorized destination station addresses 
for said source station address. 

12. A security unit for a network having a data bus to 
which a plurality of stations can be connected 
wherein said security unit monitors traffic on said 
data bus and only enables authorized data to flow 
along said data bus. 

1 3. A security unit according to claim 1 2 and wherein 
said data bus and said security unit are part of a 
hub. 

14. A security unit according to claim 1 2 and compris- 
ing a packet blocker operating in accordance with 
a protocol of said network and operative when 
unauthorized communication is requested. 

15. A security unit according to claim 12 wherein said 
traffic comprises a multiplicity of data packets 
each having source and destination addresses 
and wherein said security unit comprises a plur- 
ality of correlators for determining that said 
source and destination addresses indicate an au- 
thorized communication. 



16. A security unit according to claim 15 wherein 
each station is connected to said data bus via a 
port having a port address and wherein one of 
said correlators correlates said source address 
5 with an authorized port address. 
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